Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
eicar.txt

Overview

General Information

Sample name:eicar.txt
Analysis ID:1648554
MD5:44d88612fea8a8f36de82e1278abb02f
SHA1:3395856ce81f2b7382dee72602f798b642f14140
SHA256:275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
Infos:

Detection

EICAR
Score:72
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
EICAR test file detected
Multi AV Scanner detection for submitted file
Yara detected EICAR
Queries the volume information (name, serial number etc) of a device

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • notepad.exe (PID: 7360 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\eicar.txt MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
eicar.txtJoeSecurity_EICARYara detected EICARJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    • AV Detection
    • System Summary
    • Language, Device and Operating System Detection

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: eicar.txtAvira: detected
    Source: eicar.txtVirustotal: Detection: 97%Perma Link
    Source: eicar.txtReversingLabs: Detection: 100%

    System Summary

    barindex
    Source: eicar.txtInitial sample: EICAR test sig
    Source: Yara matchFile source: eicar.txt, type: SAMPLE
    Source: classification engineClassification label: mal72.troj.winTXT@1/0@0/0
    Source: C:\Windows\System32\notepad.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: eicar.txtVirustotal: Detection: 97%
    Source: eicar.txtReversingLabs: Detection: 100%
    Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
    Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\eicar.txt VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		OS Credential Dumping11
    System Information Discovery    		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1648554 Sample: eicar.txt Startdate: 25/03/2025 Architecture: WINDOWS Score: 72 7 EICAR test file detected 2->7 9 Antivirus / Scanner detection for submitted sample 2->9 11 Multi AV Scanner detection for submitted file 2->11 13 Yara detected EICAR 2->13 5 notepad.exe 2->5         started        process3

    Screenshots

    Download Video

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    eicar.txt97%VirustotalBrowse
    eicar.txt100%ReversingLabsDOS.Malware.EICAR
    eicar.txt100%AviraEicar-Test-Signature

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:42.0.0 Malachite
    Analysis ID:1648554
    Start date and time:2025-03-25 22:53:39 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 3m 36s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:11
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:eicar.txt
    Detection:MAL
    Classification:mal72.troj.winTXT@1/0@0/0
    Cookbook Comments:
    • Found application associated with file extension: .txt
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 184.31.69.3, 52.149.20.212
    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:EICAR virus test files
    Entropy (8bit):4.8723276870872425
    TrID:
      File name:eicar.txt
      File size:68 bytes
      MD5:44d88612fea8a8f36de82e1278abb02f
      SHA1:3395856ce81f2b7382dee72602f798b642f14140
      SHA256:275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
      SHA512:cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab
      SSDEEP:3:a+JraNvsgzsVqSwHq9:tJuOgzsko
      TLSH:41A022003B0EEE2BA20B00200032E8B00808020E2CE00A3820A020B8C83308803EC228
      File Content Preview:X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

      File Icon

      Icon Hash:72eaa2aaa2a2a292

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      050100s020406080100

      Click to jump to process

      Memory Usage

      050100s0.005101520MB

      Click to jump to process

      High Level Behavior Distribution

      • File
      • Registry

      Click to dive into process behavior distribution

      System Behavior

      General

      Target ID:0
      Start time:17:54:31
      Start date:25/03/2025
      Path:C:\Windows\System32\notepad.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\eicar.txt
      Imagebase:0x7ff7d6920000
      File size:201'216 bytes
      MD5 hash:27F71B12CB585541885A31BE22F61C83
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false
      Show Windows behavior

      File Activities

      Show Windows behavior

      Section Activities

      Show Windows behavior

      Registry Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Mutex Activities

      Show Windows behavior

      Process Activities

      Show Windows behavior

      Thread Activities

      Show Windows behavior

      Memory Activities

      Show Windows behavior

      System Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Windows UI Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Disassembly

      No disassembly